Researcher argues for open hardware to defend against NSA spying

While there is no foolproof defense against government spying, snooping by entities like the National Security Agency could be made far more difficult through the use of Internet infrastructure built on open-source hardware, an academic researcher says.

In an Op-Ed piece published Tuesday in The New York Times, Eli Dourado, a research fellow at George Mason University, argued that companies using open hardware would be in a better position to detect backdoors or vulnerabilities planted by the NSA or any other government agency.

"To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles," wrote Dourado, who is with the technology policy program at George Mason's Mercatus Center.

Some experts were skeptical of the idea, saying the NSA would find other means to compromise systems, whether it was through the cooperation of software vendors or finding unknown vulnerabilities in the hardware.

"I don't see how this attempt at disintermediation would succeed," Al Pascual, analyst for Javelin Strategy & Research, said.

According to Dourado, success would come from the fact that anyone could fully audit the hardware, make changes and then distribute the modifications to others. This model has driven the success of open source software used across the Internet today. Such technology includes the Linux operating system and the Apache Web server.

Mistrust over the security of proprietary technology has been fed by revelations that the NSA collaborated with companies like Microsoft, Apple and Google to program encryption weaknesses into popular consumer products and services, which gave the agency the ability to siphon user data. The revelations are based on documents leaked to the media by former NSA contractor Edward Snowden.

The documents have also described how the NSA has been able to tap into the infrastructure of the Internet, intercepting traffic flowing through cables, routers and switches.

Such hardware would be much more difficult to tap undetected, if the companies using it could see all of the underlying technology, including the firmware, Dourado says.

"There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests," he wrote.

Examples of U.S. companies that make such hardware include Cisco, Hewlett-Packard and Juniper Networks. However, the same reasoning could apply to competitors based in foreign countries.

While the ability to fully audit hardware sounds good, the reality is many organizations do not have the people with the expertise to continuously examine updates of low-level code in hardware, Murray Jennex, a professor of information system security at San Diego State University, said.

"In principle a good idea, but in practice not so much," he said.

"Auditing code is always difficult, this will be low-level code that is difficult to follow. I think it will create an illusion of openness that will still be relatively easy to conceal backdoors and such in."

Dourado has his supporters. James W. Gabberty, a professor of information systems at Pace University, said "no other information security control trumps the importance of regular and comprehensive auditing."

"Moving towards an Internet infrastructure that is 100% auditable by both governments and companies alike makes the most sense since, after all, we live in an era of increasing paranoia exacerbated by highly publicized regular hacking incidents of our most important societal systems," he said.

Trust of U.S. technology in light of the NSA revelations has become a concern for vendors selling overseas. Malcolm Harkins, vice president and chief information security and privacy officer for Intel, recently told Network World that customers have expressed a lack of confidence in U.S.-based tech vendors.

Brazil's president, Dilma Roussef, was so angered after learning that she, the state-owned oil company and citizens were spied on by the NSA that she postponed attending a state dinner in her honor in Washington, D.C. Brazil is considering laying fiber optic cable to avoid having its Internet traffic run through the U.S.

Even if governments, universities and private organizations switched to hardware and software that was "100 percent open and auditable," they wouldnt be completely safe from spying, Dourado conceded. However, they would make surveillance efforts more difficult and less effective.

"A 100 percent open-infrastructure Internet -- a trustworthy Internet -- would be an important step in the empowerment of individuals against their governments the world over," he concluded.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.